US9054865B2ActiveUtilityA1

Cryptographic system and methodology for securing software cryptography

71
Assignee: V KEY INCPriority: Nov 16, 2011Filed: Nov 16, 2012Granted: Jun 9, 2015
Est. expiryNov 16, 2031(~5.3 yrs left)· nominal 20-yr term from priority
Inventors:Joseph Gan
G06F 21/53H04L 9/32H04L 2209/24H04L 9/14
71
PatentIndex Score
3
Cited by
17
References
19
Claims

Abstract

A cryptosystem having a secure Cryptographic Virtual Machine (CVM) protected by a Tamper-Proof Virtual Layer (TPVL) for performing cryptography in software is described. The CVM and TPVL allow software applications to store and process cryptographic keys and data in a secure and tamper-proof manner, without requiring the use of a Hardware Security Module (HSM).

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A product for providing cryptography to applications being performed on a device comprising:
 instructions for directing a processing unit to:
 provide a cryptographic sandbox that includes:
 a virtual cryptographic machine that performs cryptographic operations including decrypting virtual machine codes, 
 a tamper-proof virtual layer within the cryptographic sandbox to protect cryptographic operations from unauthorized observers, 
 a sandbox interface that receives requests for cryptographic operations from a client application and transmits results of the cryptographic operations performed by the virtual cryptographic machine to the client application; and 
 
 
 a non-transitory media readable by the processing unit to store the instructions. 
 
     
     
       2. The product of  claim 1  wherein the instructions for providing the cryptographic sandbox further comprise instructions for the cryptographic sandbox to include:
 a secure virtual storage for storing cryptographic keys and data. 
 
     
     
       3. The product of  claim 1  wherein the secure virtual storage is within a memory space of the virtual cryptographic machine. 
     
     
       4. The product of  claim 1  wherein the secure virtual storage is outside the virtual cryptographic machine. 
     
     
       5. The product of  claim 1  wherein the instructions for providing a sandbox including a virtual cryptographic machine further comprise instructions to provide the virtual cryptographic machine with a virtual machine interpreter that obfuscates operation of the virtual cryptographic machine from an underlying operating system. 
     
     
       6. The product of  claim 5  wherein the instructions for providing the virtual machine interpreter includes instructions for directing the processing unit to:
 receive a function call from an underlying operating system in the machine interpreter, 
 verify the function call with the machine interpreter, and 
 perform the function call in the virtual cryptographic machine in response to the function call being verified. 
 
     
     
       7. The product of  claim 1  wherein the instructions for providing the cryptographic sandbox further comprise instructions to provide the virtual cryptographic machine with a cryptographic module that performs the cryptographic operations. 
     
     
       8. The product of  claim 1  wherein the instructions for providing the tamper proof layer include instructions that provide a set of virtual machine codes in an encrypted form that are decrypted at runtime to allow normal operation of the virtual cryptographic machine. 
     
     
       9. The product of  claim 1  wherein the instructions for providing the cryptographic sandbox further comprise instructions for directing the processing unit to provide the virtual cryptographic machine with anti-debugging techniques to prevent debugging the virtual cryptographic machine. 
     
     
       10. The product of  claim 1  wherein the instructions for providing the cryptographic sandbox further comprise instructions directing the processing unit to:
 establish a secure connection to a trusted party, 
 determine whether an update is available, and 
 upload the update to memory. 
 
     
     
       11. A method for providing a virtual cryptographic sandbox for performing cryptographic operations in a device with a processing system comprising:
 receiving a request to perform a cryptographic operation from an application in a sandbox interface performed by the processing system; 
 performing the cryptographic operation using a virtual cryptographic machine being performed by the processing system, the cryptographic operation including decrypting virtual machine codes, 
 providing a tamper proof layer within the virtual cryptographic machine that protects the cryptographic operations from unauthorized users, and 
 transmitting a result of the cryptographic operation using the sandbox interface. 
 
     
     
       12. The method of  claim 11  further comprising:
 storing encrypted keys and data and an encrypted storage, and 
 accessing the encrypted keys and data to perform the cryptographic operation. 
 
     
     
       13. The method of  claim 12  wherein the encrypted storage is within a memory space of the virtual cryptographic machine. 
     
     
       14. The method of  claim 12  wherein the encrypted storage is within a memory space of an underlying operating system. 
     
     
       15. The method of  claim 11  further comprising:
 obfuscating the operation of the virtual cryptographic machine from an underlying operating system. 
 
     
     
       16. The method of  claim 15  further comprising:
 receiving a function call from an underlying operating system in the machine interpreter, 
 verifying the function call with the machine interpreter, and 
 performing the function call in the virtual cryptographic machine in response to the function call being verified. 
 
     
     
       17. The method of  claim 11  further comprising:
 performing the cryptographic operations in a cryptographic module of virtual cryptographic machine. 
 
     
     
       18. The method of  claim 11  further comprising:
 providing the virtual cryptographic machine with anti-debugging techniques to prevent debugging the virtual cryptographic machine. 
 
     
     
       19. The method of  claim 11  further comprising:
 establishing a secure connection to a trusted party; 
 determining whether an update for the cryptographic sandbox is available; and 
 uploading the update to memory.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.